From e997823da83e6c4201eeb207fe13bc57f713f56a Mon Sep 17 00:00:00 2001 From: Archana Muniganti Date: Wed, 1 Sep 2021 15:49:27 +0530 Subject: [PATCH] crypto/cnxk: make IPsec verify functions common IPsec verify functions can be made common which can be used for both cn9k and cn10k Signed-off-by: Archana Muniganti Acked-by: Akhil Goyal --- drivers/crypto/cnxk/cn10k_ipsec.c | 116 +----------------------------- drivers/crypto/cnxk/cnxk_ipsec.h | 113 +++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+), 115 deletions(-) diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 98110872a3..5c57cf2818 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -17,120 +17,6 @@ #include "roc_api.h" -static int -ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform) -{ - if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { - switch (xform->cipher.key.length) { - case 16: - case 24: - case 32: - break; - default: - return -ENOTSUP; - } - return 0; - } - - return -ENOTSUP; -} - -static int -ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform) -{ - uint16_t keylen = xform->auth.key.length; - - if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { - if (keylen >= 20 && keylen <= 64) - return 0; - } - - return -ENOTSUP; -} - -static int -ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, - struct rte_crypto_sym_xform *crypto_xfrm) -{ - if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && - crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) - return -EINVAL; - - if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && - crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) - return -EINVAL; - - if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { - switch (crypto_xfrm->aead.key.length) { - case ROC_CPT_AES128_KEY_LEN: - case ROC_CPT_AES192_KEY_LEN: - case ROC_CPT_AES256_KEY_LEN: - break; - default: - return -EINVAL; - } - return 0; - } - - return -ENOTSUP; -} - -static int -cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, - struct rte_crypto_sym_xform *crypto_xfrm) -{ - struct rte_crypto_sym_xform *auth_xform, *cipher_xform; - int ret; - - if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && - (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) - return -EINVAL; - - if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && - (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) - return -EINVAL; - - if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && - (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) - return -EINVAL; - - if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && - (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) - return -EINVAL; - - if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) - return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); - - if (crypto_xfrm->next == NULL) - return -EINVAL; - - if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { - /* Ingress */ - if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH || - crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) - return -EINVAL; - auth_xform = crypto_xfrm; - cipher_xform = crypto_xfrm->next; - } else { - /* Egress */ - if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER || - crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) - return -EINVAL; - cipher_xform = crypto_xfrm; - auth_xform = crypto_xfrm->next; - } - - ret = ipsec_xform_cipher_verify(cipher_xform); - if (ret) - return ret; - - ret = ipsec_xform_auth_verify(auth_xform); - if (ret) - return ret; - - return 0; -} - static uint64_t ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa) { @@ -245,7 +131,7 @@ cn10k_ipsec_session_create(void *dev, return -EPERM; } - ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); + ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); if (ret) return ret; diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index f6897a0e14..d1eb74ebbe 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -17,4 +17,117 @@ struct cnxk_cpt_inst_tmpl { uint64_t w7; }; +static inline int +ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform) +{ + if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + switch (crypto_xform->cipher.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -ENOTSUP; + } + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform) +{ + uint16_t keylen = crypto_xform->auth.key.length; + + if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { + if (keylen >= 20 && keylen <= 64) + return 0; + } else if (roc_model_is_cn9k() && + (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) { + if (keylen >= 32 && keylen <= 64) + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform, + struct rte_crypto_sym_xform *crypto_xform) +{ + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xform->aead.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static inline int +cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform, + struct rte_crypto_sym_xform *crypto_xform) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + int ret; + + if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) + return -EINVAL; + + if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && + (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) + return -EINVAL; + + if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && + (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) + return -EINVAL; + + if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) + return -EINVAL; + + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_xform_aead_verify(ipsec_xform, crypto_xform); + + if (crypto_xform->next == NULL) + return -EINVAL; + + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + /* Ingress */ + if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH || + crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) + return -EINVAL; + auth_xform = crypto_xform; + cipher_xform = crypto_xform->next; + } else { + /* Egress */ + if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER || + crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) + return -EINVAL; + cipher_xform = crypto_xform; + auth_xform = crypto_xform->next; + } + + ret = ipsec_xform_cipher_verify(cipher_xform); + if (ret) + return ret; + + return ipsec_xform_auth_verify(auth_xform); +} #endif /* __CNXK_IPSEC_H__ */ -- 2.20.1